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Storage of Payment System Data — Miriutes of the meeting held with major non- 
eqm pliant Payment System Operators on October 10, 2018 

As announced in the First Bi-Monthly Monetary Policy Statement for 2018-19 dated April 05. 
2013, a circular was issued by the Reserve Bank on April OS. 2013 on Storage of Payment 
System Data' requiring all system providers to ensure that, within a period of six months the 
entire data relating to payment systems operated by them is stored in a system only in India. 
Aii non-bank payment system operators (PSOs) were advised vide e-mail dated June 2013 
to submit fortnightly progress reports. 


2. To take stock of the situation, major non-bank PSOs who had not reported compliance 
with the requirements as per the latest fortnightly status reports received from them were 
invited for a meeting. NPGl and Indian Software Products Industry Round Table fiSPlRT) were 


also present 



3. At the outset, Shri P. Vasudevan, Chief General Manager extended a warm welcome 
tc the participants Shri B. P. Kanungo, Deputy Governor (DG) gave a background of the 
primary requirements of the circular and the discussions hold with various entities since 
issuance of the circular. Storage of data ‘only’ in India and the timeline of 3 months from the 
date of the circular are nan-negotiable aspects and need to be strictly complied with. He further 
added that — 

* On the issue o f FAQs ( clarifications not being released. Shri S, Ganesh Kumar 
Executive Director (ED) had met the entities in May 2016 and had clarified that the 
circular contents were clear and did rot necessitate any clarifications. 

* Sufficient time of 6 months has been given and the entities should have started the 
process of compliance soon after the circular was issued. 

* Of the 7S operational authorized non-bank PSOs, 60 had already complied with the 
requirements and only 16 were non-compliant as per the updates received as on 
September 23, 2018, 

* Major entities such as Visa and Mastercard had confirmed that they have initiated 
measures to ensure compliance. AMEX, however, admitted that they have not initiated 
any measures in India so far in this regard. 

* Pu rp ose of the m eeti ng was me inly to undersea nd if the entities were encountering a ny 
technological glitches / issues hindering implementation of requirements. iSPiRT 
would help the entities in addressing such issues, if required. 








4. NPCi indicated that although they were fully compliant with the guidelines for all 
systems operated by them. Shesr participants, especially those handling UPl transactions, were 
partially compliant as they had implemented data mirroring; and that they wore following up 
with them to ensure full compliance of storage of data only in India. 

Key issues raised 

5 The issues and concerns raised by Card Networks and PPI issuers were 

i. Option to mirror data may be permitted instead of the requirement of storing data only 
in India, as mandating data storage “only" in. India would lead to; 

a) Requirement of new architecture with impact on various existing downstream 
applications for Indian as well as global operations 

b) Req ui rement to en sure com p arsb le security, fraud monitonn g a nd risk managem enf 
standards for decentralized data pertaining to India operations. 

C ) isolation of Indian customers from rest of the wo rid and thus losing out on latest 
technological developments (tokenization, etc.}, 

d) Significant effort required in deletion of data, though mirroring of data is no less 
technologically cumbersome. 

e'l Storage in India with processing of transactions overseas will mean additional hops 
and could lead te latencies and drops, thus breaking customer experience and trust. 

ii. Full compliance will be ensured but adhering to the timeline is a challenge with the 
downside of having a rushed-through situation. Extension of timeline will ensure 
stability and minimize disruptions white implementing a robust solution with 
concomitant fraud monitoring and risk management operations. 

i J: _ Modification in architecture would impact processing capability of downstream 

applications atleast for the present. 

iv. Mandate of domestic data storage is not present in any other jurisdiction including 
Europe and Russia. The present RSl mandate would be first of its kind in the world; 
there being no precedence / global architecture, this could cause data integrity issues 

6. The issues t concerns raised by Cross Border MTSS Operators were ' 

L Transactions originate offshore and receiver and beneficiary details also form part of 
the foreign leg and thus needs to be stored abroad. 

ii. There is need to comply with requirements of regulators in the jurisdictions they 

operate, 

iii. Screening against international watchlists, etc., is centralized and thus monitoring 
would not be possible, 

lv. Can comply with mirroring solution. 

7. DG reiterated the regulatory requirement of storage of data only in India and hence the 
option of mirroring does not exist Supervisory access does not merely mean access to data 






biit implies having complete control over payment data in India He advised AMEX that 
permission seconded to them to store data overseas was when there was no specific 
regulation in place; with issuance of the circular under discussion. AMEX as an authorised 
PSQ cannot but comply 

S. ED clarified that since MTSS operators were permitted to store data pertaining to 
foreign Jeg of the transaction outside, entities would be compliant as long as they ensure that 
the data is stored in India as well 

9. Representatives of iSPlRT highlighted that data localization was very much 
technologically feasible and could be implemented in multiple ways; the entities should seize 
this opportunity and benefit from the first mover advantage by redesigning not just storage but 
localize the processing architecture in India as well. They also volunteered to assist and if 
necessary, collaborate with the technology teams of the entities to arrive a feasible solution 
within the regulator mandated timeline. 

Suggestions 

10. The card networks indicated that the cost involved, and technological feasibility of 
implementation was not a deterrent for storage of data in India. Retmagimng the entire 
architecture and risk management process was a long-term project. VISA also suggested that 
the entities may be permitted to provide well-defined trmeiines for compliance with the 
guidelines and gel an audit conducted from independent auditors periodically to demonstrate 
compliance to the RBI. 

Concluding Remarks 

11- Dt5 advised th at, at tills point i n time. a few days before the com p I i a nee deadline, there 
was no scope for any relaxation There was no point in requesting for blanket extension with 
the expectation that requirements would be relaxed- He emphasized the need to ensure that 
there was no laxity tn putting in place proper nsk management and fraud risk monitoring 
mechanisms. While the data localization requirement should be complied within the prescribed 
timeline, any other changes in architecture could be undertaken over a period or time. In case 
Cm non-compiiance. an internal review would be undertaken, and appropriate regulatory action 
would ensue, he concluded. 



